Re: lots of alerts on so rule "possible DGA detected"

[<kestutis.malakauskas () barclays com>]

Hello,

The same here we do see lots of (FP) hits. Doesn’t seem this SIG to be very useful at this point.

Kestutis

Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations
Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () 
barclays com>
Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2
Barclays.com

Hotline: +370 520 62424
P Please consider the environment before printing this email

From: Ronny Vaningh [mailto:ronny () guard-it be]
Sent: 25 November 2014 09:56
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] lots of alerts on so rule "possible DGA detected"

Hi

I'm seeing a lot of alerts on an SO rule that looks for DGA's.

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not found containing random-looking hostname - 
possible DGA detected"; sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine shared, soid 3|31738, 
service dns;)


It seems to trigger on dns requests that are appending search domains like

First the host does a request for 
myserverhostname001.subdomain.domain.com<http://myserverhostname001.subdomain.domain.com>
After receiving a NXDOMAIN it appends a search domain suffix and generates a request like

myserverhostname543.subdomain.domain.com.searchdomain.com<http://myserverhostname543.subdomain.domain.com.searchdomain.com>



Does anyone knows what this SO rule is actually looking for and is there any way I can influence this, since it looks 
pretty useful so I want to avoid disabling it.


Regards


Ronny


This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or 
exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any 
part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept 
responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group 
for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays 
Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, 
London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority 
and the Prudential Regulation Authority (Financial Services Register No. 122702).

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!